Today, if you are a serious amateur who wants to record high quality videos on a budget, you can get a nice DSLR for less than 1000€ which comes with every feature you’ll ever need. If not, you can easily extend the functionality with software add-ons like Magic Lantern. Back in 2008 this wasn’t the case an I had a Canon HF10 camcorder, one of the first to record Full-HD AVCHD video to an SD card. It had a reasonable performance for its price, but sooner than later I was missing some important video features like zebra patterns and manual gain.

There are a lot of workarounds on the internet to still achieve what you want without having the specific functionality, but it is an unnecessary pain, especially since it is usually a software function that may be existing in the firmware but just got disabled on the cheap consumer model, while being enabled on the expensive model sold as the professional counterpart. I started looking around for possible hacks to enable such functions, and discovered a nice software add-on for Canon PowerShot still cameras called CHDK. The documentation of this project says that the most important thing to start working on such a firmware hack is a dump of the camera firmware or a firmware update file released by the manufacturer.

Decryption Successful

So when Canon released a firmware update for my HF10 camcorder, I opened a thread (nickname Wiesel) on the CHDK forum about this endeavor and started to analyze the file. I soon discovered how the file was encrypted and was able to reconstruct the key calculation algorithm, based on the 300D decryption keys released elsewhere, leading to a decryption and encryption tool for HF10 and HV30 update files. This motivated others to jump in on the effort and contribute a lot of additional knowledge on the hardware, memory layout and disassembled program code. It all culminated in a hack for the HV20 and HV30 by the awesome jollyrogerxp, who documented his long journey into the depths of the camcorders on the HV20 forum (now HDDV forum). A HF10 hack, however, never came to life since I was missing the required knowledge and it seems that also nobody else ever got to do that tedious and dirty work.

6 Years Later

Just recently I stumbled upon a firmware update of a newer camera model and wondered if Canon has changed the encryption scheme in the meantime – and found out they didn’t. Even better, I also found out where the only decryption parameter that changes from model to model comes from. It took me a few days of work, but I extended the firmware decryption tool to support every model that I could find a firmware update for, and most probably also every other model available until this day. I also took this occasion to publish the firmware decrypter/encrypter and other tools that I have written related to the firmware files to a GitHub repository.